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IN THE CLAIMS 

For the convenience of the Examiner, all pending claims of the present Application 
are shown below whether or not an amendment has been made. 

1. (Previously presented) A method of detecting viral code in subject files, 
comprising: 

creating an artificial memory region spanning one or more components of the 
operating system, wherein the artificial memory region is associated with an export table of a 
dynamically-linked library; 

emulating execution of at least a portion of computer executable code in a subject file; 

monitoring attempts by the emulated computer executable code to access the artificial 
memory region; 

in response to detecting an attempt to access the artificial memory region, determining 
an export table entry in the export table of the dynamically-linked library that is associated 
with the attempt to access the artificial memory region; and 

determining based on the export table entry associated with the attempt to access the 
artificial memory region that the emulated computer executable code is viral. 

2. (Canceled) 

3. (Canceled) 

4. (Previously presented) The method of claim 1, further comprising: 
emulating functionality of an identified operating system call while monitoring the 

operating system call to determine whether the computer executable code is viral. 
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5. (Canceled) 

6. (Canceled) 

7. (Canceled) 

8. (Original) The method of claim 1, further comprising monitoring access by 
the emulated computer executable code to dynamically linked functions. 

9. (Previously presented) The method of claim 8, wherein the artificial memory 
region spans a jump table containing pointers to the dynamically linked functions. 
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10. (Previously presented) A program storage device readable by a machine, 
tangibly embodying a program of instructions executable by the machine to perform method 
steps for detecting viral code in subject files, the method steps comprising: 

creating an artificial memory region spanning one or more components of the 
operating system, wherein the artificial memory region is associated with an export table of a 
dynamically-linked library; 

emulating execution of at least a portion of computer executable code in a subject file; 

monitoring attempts by the emulated computer executable code to access the artificial 
memory region; 

in response to detecting an attempt to access the artificial memory region, determining 
an export table entry in the export table of the dynamically-linked library that is associated 
with the attempt to access the artificial memory region; and 

determining based on the export table entry associated with the attempt to access the 
artificial memory region that the emulated computer executable code is viral. 



DAL0 1:103404 1.1 



ATTORNEY DOCKET NO. 063170.6291 



PATENT 
Serial No. 09/905,532 



5 

1 1 . (Previously presented) A computer system, comprising: 
a processor; and 

a program storage device readable by the computer systems, tangibly embodying a 
program of instructions executable by the processor to perform method steps for detecting 
viral code in subject files, the method comprising: 

creating an artificial memory region spanning one or more components of the 
operating system, wherein the artificial memory region is associated with an export 
table of a dynamically-linked library; 

emulating execution of at least a portion of computer executable code in a 
subject file; 

monitoring attempts by the emulated computer executable code to access the 
artificial memory region; and 

determining based on the export table entry associated with the attempt to 
access the artificial memory region that the emulated computer executable code is 
viral. 
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12. (Previously presented) A computer data signal embodied in a computer- 
readable medium which embodies instructions executable by a computer for detecting in a 
subject file viral code that uses calls to an operating system, the signal comprising: 

a first segment comprising CPU emulator code, wherein the CPU emulator code 
emulates execution of at least a portion of computer executable code in the subject file; 

a second segment comprising memory manager code, wherein the memory manager 
code creates an artificial memory region spanning components of the operating system a 
wherein the artificial memory region is associated with an export table of a dynamically- 
linked library; and 

a third segment comprising monitor code, wherein the monitor code: 

monitors attempts by the emulated computer executable code to access the 

artificial memory region; 

in response to detecting an attempt to access the artificial memory region, 

determining an export table entry in the export table of the dynamically-linked library 

that is associated with the attempt to access the artificial memory region;_and 

determines based on the export table entry associated with the attempt to 

access the artificial memory region that the emulated computer executable code is 

viral. 

13. (Previously presented) The computer data signal of claim 12, further 
comprising: 

a fourth segment comprising analyzer code, wherein the analyzer code emulates 
functionality of the identified operating system call to determine whether the computer 
executable code is viral. 
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14. (Previously presented) An apparatus for detecting in a subject file viral code 
that uses calls to an operating system, comprising: 

a processor; 

a memory; 

a CPU emulator; 

a memory manager component that creates an artificial memory region spanning at 
least a portion of the memory associated with an export table of a dynamically-linked library; 
and 

a monitor component, wherein the CPU emulator emulates execution of at least a 
portion of computer executable code in the subject file, and the monitor component: 

monitors attempts by the emulated computer executable code to access the 
artificial memory region; 

in response to detecting an attempt to access the artificial memory region, 
determining an export table entry in the export table of the dynamically-linked library 
that is associated with the attempt to access the artificial memory region;_and 

determines based on the export table entry associated with the attempt 
to access the artificial memory region that the emulated computer executable 
code is viral. 

15. (Previously presented) The apparatus of claim 14, further comprising: 
an auxiliary component; and 

an analyzer component, 

wherein the auxiliary component emulates functionalities of an identified operating 
system call, and the monitor component monitors the operating system call to determine 
whether the computer executable code is viral, while emulation continues. 

16. (Previously presented) The apparatus of claim 15, wherein the auxiliary 
component emulates functionalities of the operating system call. 

17. (Canceled) 
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18. (Canceled) 

19. (Canceled) 

20. (Original) The apparatus of claim 14, wherein the artificial memory region 
created by the memory manager component spans a jump table containing pointers to 
dynamically linked functions, and the monitor component monitors access by the emulated 
computer executable code to the dynamically linked functions. 
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21 . (Previously presented) The method of claim 1 , further comprising: 
monitoring accesses by the emulated computer executable code to the artificial 

memory region to detect looping; and 

determining based on a detection of looping that the emulated computer executable 

code is viral. 

22. (Previously presented) The method of claim 1, wherein creating an artificial 
memory region comprises creating a custom version of the export table with predetermined 
values for the entry points. 

23. (Previously presented) The method of claim 1, further comprising: 
monitoring access by the emulated computer executable code to dynamically linked 

functions; and 

determining based on attempted access to dynamically linked functions that the 
emulated computer executable code is viral. 
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